Sign-in handled by Google's auth infrastructure. Industry-standard OAuth, password hashing.
Trust
Security by default.
A short, honest summary of how we protect your account and data. We're a young company, but we built RunDo with the security baseline that older platforms had to bolt on years later.
AES-256Encryption at rest
TLS 1.3Encryption in transit
72 hrBreach notification
SingaporeData residency
Account security
Your account is the front door. Locked by default.
Authenticator app codes (Google Authenticator, Authy, 1Password). Owners can require 2FA org-wide.
See and revoke sessions from any device. Auto-logout after configurable idle time.
Every admin action logged with actor, timestamp, before/after state. Exportable.
Infrastructure
Supabase ap-southeast-1 region. Cloudflare for DNS, CDN, edge security.
Every 6 hours, retained 30 days, replicated to a second region for disaster recovery.
All traffic TLS 1.3. All data at rest AES-256. Vault for sensitive credentials.
Limited to 2 people. Quarterly access review. SSH keys + 2FA required.
Compliance roadmap
Where we are today, where we're going.
- 01Today: PDPA-compliant (Singapore)
Fully aligned with Singapore's Personal Data Protection Act from day 1. Data residency, breach notification, data subject rights all in place.
- 02Today: GDPR-aligned (EU)
Standard Contractual Clauses for cross-border transfers. Data subject rights honoured. DPA available on request.
- 03Q4 2026: SOC 2 Type 1
Currently in audit. Expected report Q4 2026.
- 042027: SOC 2 Type 2 + ISO 27001
Multi-year operational evidence required. On track for late 2027.
Ready to run on autopilot?
Drop your email, we'll send your invite as a slot opens.